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AUTHENTICATED FIREWALL TUNNELING budlt from one connection from an external host to a firewall, 

FRAMEWORK and another from that firewall to an internal host. Data from 

one host to the other travels through both connections (and 
the firewall). The two hosts involved generally treat this 

FIELD OF THE INVENnON 5 channel just like they would treat a simple connection, 

The present invention relates to the security of networks except for the tunnel setup phase, 

and, in particular, to the security of hosts communicating The typical steps to establish a connection between a first 

through a firewall. process and a second process include (1) the first process 

requesting the connection to the second process, and (2) 
BACKGROUND OF THE INVENTION 10 receiving acknowledgement that the second process will 
^rhe number of organizations linking their internal net- accept and transmit data to the first process over the con- 
works to the Internet is growing at what appears to be an nection. A host is considered to be "connected to" another 
exponential rate. Access to the Internet enables computers tost when a process on the host is connected to a process on 
on the organization's internal network to access the com- ^be other host. Under these conditions, the host is also 
puters on other networks linked to the Internet. Likewise, the considered to be "connected to" the process that is on the 
computers on the other networks linked to the Internet may other host. 

access the computers on the organization's internal network, Referring again to FIG. 1, internal host 114 may be 

thus rendering a organization's computer resources vulner- accessed by internal host 116 without going through the 

able to unwelcome and potentially malicious outsiders. firewall. Internal hosts on a network are said to be "behind" 

For the purpose of explanation, entities to which network the firewaU because network traffic flowing between them 

traffic may be directed are referred to herein as "hosts". does not pass through the firewall. External hosts are said to 

Examples of hosts include computers and printers. be "outside" the firewall because traffic between external 

One mechanism providing security against unwelcome ^"^^ ^^^^^^ ^^^^ts passes through the firewall, 

outsiders is a firewall. A firewall is a combination of „ OtXcn, it is desirable to treat some external hosts as hosts 

software and one or more network devices (e.g. routers) t^^at are "virtually" behind the firewall, thus providing those 

through which network traffic is directed. Firewalls are used external hosts a higher level of access to the internal network 

to screen traffic between "internal" networks and "external" ^an is provided to other external hosts. For example, an 

networks (e.g. networks Unked to the Internet) for security organization may operate a first network 110 at a first 

purposes. Typically, a firewall protects resources on "inter- 3^ physical location (e.g., the organization's headquarters) and 

nal" networks from undesircd access via external networks a second network 130 at a second physical location that is 

by blocking or redirecting certain kinds of network traffic. remote relative to the first location. The first network and 

For example, referring to FIG. 1 corporate network 110 is second network are both extenial relative to each other and 

protected by firewall 112 and thus corporate network 110 is both Imked to the Internet 228. The services available on 

internal relative to firewall 112. Host 182 is on an external 35 ^^^^^^^ °" "^^^^^^ ^"^^^^^ corporate 

network (not illustrated) that is Unked to the Internet 228, electromc inail servers and corporate business applications, 

and is external relative to firewaU 112 and corporate network because the second network 130 serves the same 

110. Channel 192 represents a channel through which host orgamzation, it is desirable to provide hosts (e.g., host 134) 

182 has attempted to comiect to a web server on host U4, 0° second network 130 the same level of access that is 

which is on corporate network 110. A web server is a server 40 ^T'^l^ ^^^^ °" ffj ""^^"''^ 

that communicates, for example, using the hypertext transfer g^^^^S ^osts on the second network 130 the same level of 

protocol (HTTP). Firewall 112 prevents external host 182 ^ j^^^*^ «° ^h^ electronic mail 

from accessing the web server on host 114 by blocking the ^^^^ corporate business apphcaUons may be accessed 

attempted connection. Channel 190, on in the other hand, hoste 134 on the second network 130, even though the 

represents a connection by internal host U4 to a web server 45 ^"^^ \^,?" ^"'"'^ "^^'^'''^ ^''^^'"^^ *° ^"^^ 

on external host 182 which is not blocked by firewall 112, network 110. 

thus permitting internal host 114 to access the web server on One mechanism of providing such access is referred to as 

external host 182. FirewaU 112 thus aUows internal hosts to a virtual private network. In a virtual private network, one or 

access web servers on external hosts, but does not aUow an secure channels interconnect two or more networks, 

external host to access a web server on the internal network. 50 Secure channels usuaUy provide for the secure transmission 

The terms "channel" and "connection" are used herein. A data by, for example, encrypting data that flows through 

"channel" is a path of communication though which two or secure channel. Secure channels often pass through 

more processes may direct communication (as used herein, P^^^^ networks such as the Internet, 

the term "process" refers to a process under the control of an FIG. 1 shows an example of a virtual private network, 

operating system). For example, a process on internal host 55 Corporate network 110 and corporate network 130 form a 

114 may communicate to a process on external host 182 virtual private network and are interconnected by secure 

through a network Unk to firewall 112, and then through the channel 138. 

Internet 228 to external host 182. This path of communica- Network traffic between networks within a virtual private 

tion is referred to as chaimel, or more specifically, channel network passes through one of the secure channels without 

192. A "connection" is a channel that two active processes eo being blocked by the firewall. For example, traffic between 

are currently using to communicate. These processes need host 134 and host 114 is not blocked by firewall 132 or 

not communicate using HTTP. For example, a connection firewall 112. Thus host 134 is treated as if host 134 is behind 

exists on channel 190 when a process on internal host 114 is firewall 112. 

using channel 190 to communicate with a process on host It is possible that an unwelcome outsider may, by gaining 

182. 65 access to one network within a virtual private network. 

Channels may be constructed from one or more connec- compromise the security of every network within a virtual 

tions. For example, a "tunnel" is a kind of channel which is private network. For example, an unwelcome outsider may. 
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by gaining access to host 134, gain access to corporate as an internal host on the business organization's network, 

network 130 and corporate network 110. and thus may be able to access the business organization's 

To prevent a virtual private network from being compro- internal accounting services, 

mised in this fashion, network traf&c to and from hosts Yet another disadvantage of most kinds of virtual private 

outside a virtual private network (i.e. a host connected to a ^ networks is that users outside the primary network are 

network not part of the virtual private network) is often granted similar access to the corporate network. Thus, such 

"consohdated" through one network. Specifically, all net- virtual private networks are unsuitable for common situa- 

work trafiSc to and from members of a virtual private tions where it is desirable to "selectively" provide network 

network is "funneled" through one network and its firewall. access to various users on the same host, or to provide the 

The network whose firewall is used to funnel the trafiSc same level of access to the same user on different external 

between the members of the virtual private network is hosts. For example, an internal host ("clinical information 

referred to as the "primary" network. The other networks server") in a hospital provides clinical information to clini- 

within the virtual private network are referred to herein as cal users. Patient confidentiality requires that access is 

"subsidiary" networks. A host on the subsidiary network is generally denied to external hosts (i.e. hosts external to the 

referred to as a subsidiary host. hospital's network). Most virtual private networks do not 

For example, corporate network 110 is the primary net- concurrently prevent network access to the chnical server by 

work. Firewall 112 prevents network traffic between corpo- set of users, while permitting access to another set of 

rate network 110 and any network outside of the virtual users, e.g. doctors. 

private network. All network traffic between the hosts on Based on the foregoing, it is desirable to provide a method 

corporate network 110 and corporate network 130 and hosts which avoids the overhead caused by the consolidation of 

outside the virtual private network comprised of corporate network trafiSc to and from networks outside a virtual private 

network 110 and 130 is "funneled" through corporate net- network through the primary network. It is further desirable 

work 110 and firewall 112. to provide a method that selectively permits one type of 

One disadvantage of a virtual private network is that a network traffic from a set of hosts outside a firewall but 

virtual private network requires low-level changes to the blocks another type of network traffic firom the same set of 

operating system. Another disadvantage of most kinds of hosts, 
virtual private networks is the overhead incurred in funnel- 

ing through the primary network aU network traffic that SUMMARY OF THE INVENTION 
travels between subsidiary hosts and hosts outside the virtual 3^ ^ method and apparatus for managing network access to 
private network. Specifically, network traffic between a internal hosts protected by a firewall is described. According 
subsidiary host to a host outside the virtual private network ^o an aspect of the present invention, a user on an external 
must pass through the secure channel, through the firewall ^^^^^ in^Q ^ firewall. Once the user has been authen- 
into the primary network, then back out the firewall of the iicsntd to the firewaU, a session is established for the user, 
primary network to the outside host. Furthermore, any 35 ^juj tunnel configuration data is transmitted to the user's 
network traffic through the secure channel is encrypted, even process on the external host. The tunnel configuration data 
though such traffic may not need the level of security indicates the configuration of at least one tunnel for con- 
provided by encryption. The overhead involved in encrypt- jjgj,jjj,g to ^t least one internal host. When creating a socket 
mg would not have occurred had the same network traffic fo^ connecting to the internal host, the socket is configured 
been sent from the subsidiary host directly to the outside ^ funnel configuration data. 

According to another aspect of the present invention, 

For example, consider network traffic flowing from host funnel objects and tunnel socket objects may be specially 

134 (FIG. 1) to host 182. Network traffic from host 134 to configured to establish a connection in a way that takes 

host 182 is encrypted and directed through secure channel advantage of the power and simpUcity of the inheritance 

138 to corporate network 110. Network traffic then passes 45 feature of object oriented software. Various tunnel classes 

from corporate network 110 through firewall 112, and then provided to configure tunnels in a variety of manners. 

through the Internet 228 to host 182. Note that encryption of ™ .... « ^, -j^^ .1, .-r* ♦ a ui 

. . ». t f . . . The present mvention provides the abiUty to flexibly 

the network traffic ocairred for transmission over secure "strategies" within the same basic 

channel 138 even though encryption is not performed for the ^^^^^^^^ framework, and on the same host. The kind of IP 

HosTm '° ^^^^""^ '° ^ '^'^^^^ "^^ 

Operating system level. Virtual private networks which focus 

Another disadvantage of most kinds of virtual private ^^^^y (jp) mechanisms do not have application 

network is that aU hosts on the virtual private network are information sufficient to provide comparable flexibility. The 

provided the same level of network access as any other host framework presented herein works from the low levels to the 

on the virtual private network. Thus, such virtual private 55 ^^^^^ levels in the network communications protocol stack, 

networks are unsuitable for common situations where it is . j- . *u ^ c*u * • 

j . , 1 , „ 1 . , ., ^ , c * According to another aspect of the present mvention, the 

desu-able to selectively^ provide network access for exter- ^ „ u „ j * « 1 1 r 1 •* 

-. i^ ^it_... firewall may be managed at a finer level of granularity, 

nal hoste to some mtemal hosts on a network but not to other ^^^^ ^^ ^ 

mternal hosts. For example, It may desu-able for a busmess n «*u .u 11 u ^ 

. . , * , L . . . figuration data particular to the user, rather than solely based 

organization to allow the external hosts of customers to 60 « *! ..^ ^ * n \^ *u 

* , 1. . J- « , J ■ » on configuration data particular to a host. For example, the 

access an internal host providing "customerordenng ser- ^„ A fL^^^* j ot * li u 

. ^ . . it r • same user can use different hosts at different times, and be 
vices but prevent the external hosts from accessing the 

i . \, u- i_ *u i_ • - ** » • r 1 granted the same level or access, 

mternal hosts on which the busmess organization s mternal ^ 

accoimting services reside. If the networks of the customer BRIEF DESCRIPTION OF THE DRAWINGS 

are made part of a virtual private network that includes the 65 

network of the business organization, a host on the custom- The present invention is illustrated by way of example, 

er's network would have the same level of network access and not by way of limitation, in the figures of the accom- 
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panying drawings and in which like reference numerals refer memory (ROM) 208 or other static storage device coupled 

to similar elements and in which: to bus 202 for storing static information and instructions for 

no. 1 is a block diagram showing a private virtual processor 204. Astorage device 210, such as a magnetic disk 

network- optical disk, is provided and coupled to bus 202 for 

HG. 2 is a block diagram that illustrates a computer ' information and instructions- 
system 200 upon which a firewall or networked host may be Computer system 200 may be coupled via bus 202 to a 
implemented according to an embodiment of the present display 212, such as a cathode ray tube (CRT), for displaying 
invention- information to a computer user. An input device 214, includ- 

FIG. 3 'is a block diagram showing an exemplary network ,„ alphanumeric and other keys is coupled to bus 202 for 

architecture upon which an embodiment of the present '° commun.caung information and coramand selections to 

. I ^ J processor 204. Another type of user mput device is cursor 

mvention may implemented; * in/: u * i u ii j- 

^ ' ^ ^ . control 216, such as a mouse, a trackball, or cursor direction 

nC 4 is a flow chart showmg steps for configuring a ^^^^ communicating direction information and com- 

socket factory to provide tunnel sockets m accordance with ^^^^ selections to processor 204 and for controUing cursor 

an embodiment of the present invention; 15 movement on display 212. This input device typically has 

FIG. 5A is a block diagram showing an exemplary tunnel two degrees of freedom in two axes, a first axis (e.g., x) and 

configuration table in accordance with an embodiment of the a second axis (e.g., y), that allows the device to specify 

present invention; positions in a plane. 

FIG. 5B is a block diagram showing an exemplary inside xhe invention is related to the use of computer system 200 

channel table in accordance with an embodiment of the 20 f^^. providing firewall tunnels. According to one embodi- 

present invention; naent of the invention, firewall tunnels are provided by 

FIG. 6 is flow chart showing steps for generating a mnnel computer system 200 in response to processor 204 executing 

socket according to an embodiment of the present invention; one or more sequences of one or more instructions contained 

HG. 7 is a flow chart showing steps for connecting in main memory 206. Such instructions may be read into 

through a tunnel in accordance with an embodiment of the ni^in memory 206 from another computer-readable medium, 

present invention* ^^^^ storage device 210. Execution of the sequences of 

FIG. 8 is a flow chart showing steps for establishing a instmctions contained in main memory 206 causes pro^^ 

connection through a tunnel using the "firewall-mapped" ^04 to perform the process steps described herein. In alter- 

approach in accordance with an embodiment of the present 30 "f"'"' e-Bbodmients, hard-wired circuitry may be used in 

invention* p^^ce of or in combination with software instructions to 

„ . „ . . ^ , . . implement the invention. Thus, embodiments of the inven- 

FIG. 9 is a flow chart showmg steps for estabUshmg a ^-^^ ^^-^^ ^^g^ combination of hardware 

connection through a tunnel using the "class-based circuitry and software. 

approach in accordance with an embodiment of the present ^ j,. „ j , ■ 

invention- and 35 ^^^^ computer-readable medium as used herein 

^ , , ^ refers to any medium that participates in providing instruc- 

FIG 10 is a block diagram of an exemplary hierarchy of ^^^^ processor 204 for execution. Such a medium may 

mnnel classes which may implemented for use according to ^^3^ including but not limited to, noo-volatile 

the class-based approach m an embodiment of the present ^^^^^ ^^^^^^^ ^^^^^ transmission media. Non-volatile 

mvention. media includes, for example, optical or magnetic disks, such 

¥>vT-T^A IT T-r* f^T-oi-nim^/^xT ^s storagc device 210. Volatile media includes dynamic 

DETAILED DESCRIPTION ^ . . ^ . . 

memory, such as main memory 206. Transmission media 

A method and apparatus for providing firewaU tunnels is includes coaxial cables, copper wire and fiber optics, includ- 

described. In the following description, for the purposes of ing the wires that comprise bus 202. Transmission media can 

explanation, numerous specific detafls are set forth in order also take the form of acoustic or light waves, such as those 

to provide a thorough understanding of the present inven- generated during radio-wave and infi-a-red data communi- 

tion. It will be apparent, however, to one skilled in the art cations. 

that the present invention may be practiced without these Common forms of computer-readable media include, for 

specific details. In other insUnces, well-known structures example, a floppy disk, a flexible disk, hard disk, magnetic 

and devices are shown in block diagram form in order to tape, or any other magnetic medium, a CD-ROM, any other 

avoid unnecessarily obscuring the present invention. optical medium, punchcards, papertape, any other physical 

medium with patterns of holes, a RAM, a PROM, and 

Hardware Overview EPROM, a FLASH-EPROM, any other memory chip or 

FIG. 2 is a block diagram that illustrates a computer cartridge, a carrier wave as described hereinafter, or any 

system 200 upon which a firewall or networked host may be 55 ^^^^ medium from which a computer can read, 

implemented according to an embodiment of the present Various forms of computer readable media may be 

invention. Computer system 200 includes a bus 202 or other involved in carrying one or more sequences of one or more 

communication mechanism for communicating information, instructions to processor 204 for execution. For example, the 

and a processor 204 coupled with bus 202 for processing instructions may initially be carried on a magnetic disk of a 

information. Computer system 200 also includes a main 60 remote computer. The remote computer can load the instruc- 

memory 206, such as a random access memory (RAM) or tions into its dynamic memory and send the instructions over 

other dynamic storage device, coupled to bus 202 for storing a telephone line using a modem, A modem local to computer 

information and instructions to be executed by processor system 200 can receive the data on the telephone line and 

204. Main memory 206 also may be used for storing use an infra-red transmitter to convert the data to an infra-red 

temporary variables or other intermediate information dur- 65 signal. An infra-red detector coupled to bus 202 can receive 

ing execution of instructions to be executed by processor the data carried in the infra-red signal and place the data on 

204. Computer system 200 further includes a read only bus 202. Bus 202 carries the data to main memory 206, from 
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which processor 204 retrieves and executes the instructions. Web browsers are processes running software that sends and 

The instructions received by main memory 206 may option- receives data from servers that participate in the World Wide 

ally be stored on storage device 210 either before or after Web. Web browsers may also load code, such as Java™ 

execution by processor 204. code, and execute such code or launch processes which 
Computer system 200 also includes a communication 5 execute the code. Examples of browsers are Microsoft 

interface 218 coupled to bus 202. Communication interface Corporation's Internet Explorer, or Netscape Corporation's 

218 provides a two-way data communication coupling to a Navigator. Process 364 and process 366 are Java appUca- 

network Unk 220 that is connected to a local network 222. tions executing code loaded by process 362. Such Java 

For example, communication interface 218 may be an applications include the HoUava™ browser, available from 
integrated services digital network (ISDN) card or a modem lo Sun Microsystems, Incorporated. 

to provide a data communication connection to a corre- A process that is associated with the user is referred to as 
sponding type of telephone line. As another example, com- a user process. Process 362, process 364, and process 366 
munication interface 218 may be a local area network are each examples of user processes. 
(LAN) card to provide a data communication connection to Socket factory 368 resides on external host 350. A socket 
a compatible LAN. Wireless links may also be implemented. 15 factory provides sockets. A socket is a set of code modules 
In any such implementation, communication interface 218 and related data that serves as an interface for communicat- 
sends and receives electrical, electromagnetic or optical ing between processes, including processes on two or more 
signals that carry digital data streams representing various hosts linked by a network. Sockets typically provide an 
types of information. interface to a channel, such as a connection, between two 
Network link 220 typically provides data communication processes. Sockets insulate users of sockets (e.g. processes) 
through one or more networks to other data devices. For from the complexities of communicating with other pro- 
example, network link 220 may provide a connection cesses. 

through local network 222 to a host computer 224 or to data In one embodiment of the present invention, a socket 

equipment operated by an Internet Service Provider (ISP) factory and a socket are objects which are instantiations of 

226. ISP 226 in turn provides data communication services classes developed in object-oriented software. For example, 

through the world wide packet data communication network socket factory 368 is an instantiation of a socket factory 

now commonly referred to as the "Internet" 228. Local class. 

network 222 and Internet 228 both use electrical, electro- A socket may be an object that provides a set of methods 

magnetic or optical signals that carry digital data streams. which may be invoked for the purposes of communicating 

The signals through the various networks and the signals on with another process. For example, one method may be 

network link 220 and through communication interface 218, invoked to establish a connection with a process associated 

which carry the digital data to and from computer system with a particular IP address and a port. Another method may 

200, are exemplary forms of carrier waves transporting the be invoked to transmit data to the other process, and yet 

information. another method may be invoked to terminate the connection. 

Computer system 200 can send messages and receive xhe techniques described herein are not limited to object 

data, including program code, through the network(s), net- oriented software. For example, object classes correspond to 

work link 220 and communication interface 218. In the abstract data types, objects correspond to instances of 

Internet example, a server 230 might transmit a requested abstract data types, and the methods of an object correspond 
code for an application program through Internet 228, ISP ^ to the functions that are used to perform operations on data 

226, local network 222 and communication interface 218. In contained in instances of abstract data types, 

accordance with the invention, one such downloaded appU- Firewall configuration data 332 is data that is used to 

cation provides for firewall tunnels as described herein. configure firewall 330. A portion of firewall configuration 

The received code may be executed by processor 204 as data 332 may reside on other hosts, including internal hosts, 
it is received, and/or stored in storage device 210, or other 45 For example, firewall configuration data 332 may include 

non-volatile storage for later execution. In this manner, data (1) specifying that network trafific from one source be 

computer system 200 may obtain application code in the blocked, (2) network traffic from another source be rerouted 

form of a carrier wave. to another network, (3) user profile data, and (4) data 

, , , available through user authentication services. Firewall con- 

Exemplary Network Archeclecture figuration data 332 contains other types of configuraUon data 

FIG. 3 is a block diagram that shows an exemplary which shall be described later, 
network architecture used to illustrate an embodiment of the 
invention. Internal network 308 is a LAN that is protected 

from other external networks, such as the Internet 228, by a FIG. 3 shows a tunnel according to an embodiment of the 
firewall 330. Firewall 330 may consist of one or more 55 present invention. Tunnel 341 is an exemplary tuimel 

cooperating hosts. Host 310, host 312, host 314, host 316 are through which a user process may connect to an internal host 

several of the hosts and resources on internal network 308. behind firewall 330. 

External host 350 is a host linked to the Internet 228. A In accordance with an embodiment of the present 

process running on external host 350 may coimect to a host invention, one or more tunnels are associated with a user, 
on internal network 308 in manner which shall be described 60 Access through a firewall is based on the user associated 

in more detail. Firewall 330, host 310, host 312. host 314, with a process. Thus, once it has been determined that access 

host 316, and external host 350 are each associated with a niay be granted to the user associated with a process, access 

network address, such as an Intemet Protocol ("IP') address. may be securely permitted even though the process may 

A user, such as user 360, is an entity on whose behalf one reside on an external host. Security may be managed at a 
or more processes are executing. A user may be, an 65 finer level of control than that provided by mechanisms 

individual, or another process. For example, process 362 based solely on a user's host. Furthermore, the overhead by 

may be a web browser displaying web pages to user 360. operating firewall 132 to consolidate trafSc through a pri- 
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mary network becomes optional so that users on a partially channel 343. One or more methods of the tunnel object are 

trusted host 182 (or 350) can be granted selective access, executed to configure and establish inside channel 343. 

Login channel 342 is used to authenticate a user to the Through the power and simplicity of the inheritance feature 

firewall. Usually the login channel is to a well known login of object oriented programming, a set of classes may be 
port on firewall 330, such as port 443. A login channel can 5 implemented to configure inside channels in a variety of 

be set up without user authentication. After setting up the manners. For example, a firewall may authenticate in turn to 

channel, login is performed. another firewall, could monitor traffic to ensure that some 

Tunnel 341 includes a user- authenticated channel 340. A particular security policy is obeyed, or use a particular 

user-authenticated channel is a secure channel through encryption protocol. Likewise, a set of classes may be 
which a user process associated with an unterminated ses- jq implemented to configure sockets in a variety of manners, 
sion on a firewall may connect to the firewall through a 

tunnel entry port (e.g. port 777). A tunnel entry port is the Establishing Session and Configuring The Socket 

port on a firewaD corresponding to a particular user- Factory 
authenticated channel. Tunnel 341 also includes inside chan- 

nel 343, which represents the portion of a tunnel 341 FIG. 4 shows the steps performed to establish a session 

between the firewaU and the respective internal host. Aport and to configure socket factory 368 to provide tunnel 

corresponding to an inside channel on the internal host is sockets. The steps may be perfonned in response to user 

referred to as an inside port. Process 362 on external host 350 logging into firewaU 330 

A user process on an external host 350 may estabHsh a P^^.^^^^^ accessing a service on internal host 132. 

tunnel 341 after logging in to access a service provided by ^he steps in FIG. 4 are lUustrated using the exemplary 

the internal host 312. A service is a set of processes that '° architecture shown m FIG. 3. Assume user process 

provides functionality for other processes, including pro- is mitiatmg a connection to mtemal host 312. 

cesses on a different host. Examples of services are an FTP At step 410, a secure connection between the external host 

server (a server which sends/receives according to the "file 350 and firewall 330 is established through login channel 

transfer protocol"), an IMAP 315 server (an electronic mail ^42. A secure connection provides for the secure transmis- 

server that foUows the internet mail access protocol) or RFC sio" of data by, for example, the encryption of data. A secure 

Calendar 317 (a scheduling service that uses remote proce- connection may be established using the Secure Sockets 

dure calls). The fiinctionality provided by a service can be Layer (SSL) protocol for establishing secure connections as 

made available to a process by connecting to a particular originally defined by Netscape Corporation. Those skilled in 

host at a designated port. For example, the RFC calendar the art wiU recognize that there are many techniques for 

service 317 is available on host 310. establishing secure connections, and those techniques shall 

User process 362 on external host 350 may communicate be ftirther described. In this example, assume user 
to internal host 312 behind the firewall 330 by requesting a P^o^^s 362 creates socket 361 to establish a secure con- 
socket from socket factory 368 configured to connect the section through login channel 342 to firewall 330. 
user process 362 to the internal host 312 via a tunnel. A 35 At step 420, the user is authenticated relative to the 
socket 367 which is configiu-ed to connect a user process 362 firewall 330. Authentication, as referred to herein, is the 
to an internal host 312 through a tunnel 341 is referred to as process of receiving information used to identify a user, and 
a tunnel socket. From the perspective of the user process using the information to verify that the user is what or who 
362, tunnel socket 367 is requested as a connection to the the user has been identified to be. The user's authenticated 
internal host 312 and appears as a connection to the internal identify is used to determine the what acts may be performed 
host 312, even though the tunnel socket 367 is configured to by or on behalf of the user, which act is referred to as 
use a tunnel 341. "authorization." Authenticating the user is a central part of 

Before tunnel socket 367 may be created for user process setting up the user session. It generally involves either 

362, a secure session associated with the respective user 360 secrets known to the user, or secrets held by the user in a 
must be established with the firewall 330. When the user 45 privacy protected file, hardware token, or both, 

logs in and establishes a secure session, information on how Authentication relative to the firewall 330 refers to 

to configure tunnel sockets is transmitted to user process authenticating user 360 and determining whether user 360 

362. The tunnel configuration data received includes, for may traverse the firewall 330. If the user 360 is what or who 

example, a tunnel entry port to which to connect in order to it has been identified to be, the user 360 is considered 
connect to a particular internal service. When a user process 50 verified. If the user 360 is verified, and it is determined that 

on an external host requests a socket to the particular internal the user 360 may traverse the firewall 330, the user is 

host, the socket factory uses the tunnel configuration data to considered authenticated relative to the firewall 330. The 

configure a tunnel socket. present invention is not limited to any particular technique 

When user process 362 attempts to establish a connection for authenticating users. In fact, user authentication can be 
to internal host 312 and port using tunnel socket 367, 55 delegated to a separate user authentication service module, 

firewall 330 determines whether a tunnel is permitted to which can support a variety of authentication schemes, 

connect user process 362 to the sought internal host 312 and One well known authentication technique is the "Basic 

port. If so, then firewall 330 determines the configuration of Usemame/Passphrase" authentication. In "Basic Usemame/ 

a channel between firewall 330 and the sought internal host Passphrase" authentication, a user supplies a name and 
312 and port, and establishes a connection through the 60 phrase to the firewall 330 over a secure channel. The firewall 

channel accordingly. Thus, user process 362 commimicates 330 then looks up the name and phrase pair in a database of 

to internal host 312 through user-authenticated channel 340 valid pairs of names and phrases. If the name and phrase 

between firewall 330 and user process 362, and through match valid pairs stored in the database, then the user 360 is 

inside channel 343 between firewall 330 and internal host considered to be authenticated relative to the firewall 330. 
312. 65 Another well known technique is "Challenge/Response" 

When a connection through a tunnel is established, a authentication. In the challenge response authentication, a 

tunnel object 334 is created for user channel 340 and inside user supplies a user name and is then challenged by being 
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prompted for another response. The firewall 330 calculates first channel The connection request includes information 

a correct response according to a mechanism supplied to identifying a first session which is no longer active. The user 

both the firewall 330 and authentic users. If the user 360 is then authenticated again relative to firewall 330 using 

response matches the correct response, then the user is login channel 342. The authentication of user 360 represents 
considered verified. 5 a session enabling event because user 360 is associated with 

Another authentication technique is the SSL authentica- a session that is no longer active. Thus, a first session, as 

tion protocol, available from Netscape corporation and oth- well as the new connection, are established, 

ers. SSL authentication provides for "strong" authentication. ^^^^ ^j.,^^ g^, co^^ction is established. 

In strong authentication, a certificate and a digitid signature associated with user 360 Uansmits 

generated from digitally encrypted random J connection over a second 

is transmitted to the firewall. A cerUficate is data about a . i^^at^ * u-ij f a 

user, and includes data identifying the user and data used for request would mclude information iden- 

encryplion purposes (e.g. public key). Firewall 330 uses the ^ifymg the first session. When the requested second connec- 

certificate and the digital signature to verify the user using ^lon is estabbshed, the second connection is associated with 

encryption-based techniques weU known to those skilled in ^"^^ session. Then assume that the ^t and second 

the art, including those described in Schneier, "Applied connections are termmated, and a period of time lapses at 

CrvDtoeraDhv" 1996 which pomt the first session is termmated. The lapse of a 

^. : / • ' ^ A * u tu ^ tu^ period of time in which there is no connection associated 

At step 424, a determination is made as to whether the ^ . . . . ^ i • j r • » • 

. < 'ur^A 1 *• ,^ * fi aan If tu- with an active session represents one kind of session termi- 

user has been authenticated relative to firewall 330. If the . ^ _ . . . ^ - ^ ... 

, ^ . *u *• * J t * tK G 11 natmg event. Other kinds of session terminatmg events 

user has not been authenticated relative to the firewall, then • i 5 v •* *• u *u / "i *"\ « . n 

4 r**u • * «i ^ include exphcit action by the user (e.g. "log out ) or firewall 

execution of the steps ceases. Otherwise, control passes to , . . ^ ^ \ & & / 

step 430. admimstrator. 

In this example, assume user 360, the user associated with . Session data is maintained for each session. Session data 

user process 362, is authenticated using strong authentica- "^^l^^es the identity of the user (user id) ^^ciated with the 

tion. After user 360 is verified, firewaU 330 looks-up user session, user profile data, a session identifier ( session id ), 

360 in the database, based on data identifying the user tunnel configuration data. Firewall 330 generates ses- 

received in the certificate sent to firewall 330 in accordance ^^^^^ mcluding the session id and the user id. 

with the SSL protocol. Execution of the steps thus flows to The session established in step 440 is referred to as the 

step 430. current session. The session data and session id associated 

At step 430. tunnel configuration data is generated. Tun- 30 ^^h the current session are referred to as the current session 

nel configuration data describes the Uinnels through which data and current session id. In this example, a current session 

connections may be estabUshed for a particular user. TUnnel associated with user 360 is established, 

configuration data includes the session id of the current Referring to FIG. 5A, tunnel configuration table 510 is an 

session associated with a user, data defining the tunnels example of session specific data included in tunnel configu- 
through which connections may be established for a par- 35 ration data. Tunnel configuration data maps internal services 

ticular user, and, for each tunnel, the manner in which the to specific tunnel entry ports. Tunnel configuration table 510 

tunnel is created. For example, tunnel configuration data is associated with a login session for user 360, and contains 

may include, for each ninnel, data indicating the hmnel entry four entries. Each entry corresponds to a tunnel through 

port, and which encryption protocols to use. The configu- which a user process associated with user 360 may connect 
ration data may specify which third party digital signature 40 ^ a particular service, and maps a particular internal service 

authenticators to use, (e.g. Verisign Incorporated), whether to the respective tunnel entry port of the ninnel. Each entry 

to use a low level security mechanism, (e.g. Internet Proto- has four fields, an internal host 522, internal port 524, 

col Security Protocol, "IPSEC", a set of low level security firewall host 526, and tunnel entry port 528. In this example, 

protocols established by the Internet Engineering Task internal host 522 and internal port 524 are used to identify 
Force), or a high level mechanism, (e.g. Transport Layer 45 the service mapped to firewall host 526 and tunnel entry port 

Security, "TLS", a modified version of SSL), whether weak 528. It is not necessary that a host and port be used to 

40 bit ciphers are allowed, and which ciphers to use, for identify a service mapped to a specific ninnel entry port. For 

example, RC4 or DES. Tunnel configuration data may be example, a service name can be used to identify the internal 

generated fix)m firewall configuration data 332 (e.g, user service. 

profile data), the internal state of the firewall, and informa- 50 For the tunnel represented by a particular entry, the 

tion about the host from which the user is accessing the internal host and port specified by the values of internal host 

firewall. field 522 and internal port field 524 is considered mapped to 

At step 440, a session with the firewall 330 is established. the tunnel entry port specified by the values of the firewall 

A session is a set of zero or more tunnels that are associated host field 526 and firewall port field 528. A connection 
with a user, the user's user profile data, and tunnel configu- 55 through a ninnel may be established for a user process to a 

ration data. A session is said to be established upon the port on an internal host by creating a connection firom the 

occurrence of a session enabling event, and terminated upon host on which the user process resides to the tunnel entry 

the occurrence of a session terminating event. A session port mapped to the internal host and port. This connection 

which has been established and not terminated is referred to represents a connection through the user-authenticated chan- 

as an active session. An example of a session enabling event 60 the tunnel. 

is the authentication of a user relative to the firewall which For example, consider entry 512. Entry 512 represents 

occurs while no session associated with the user is active. An tunnel 341 (FIG. 3), and maps port 143 on hi .corp (host 312) 

example of a session terminating event is the lapse of a to the tunnel entry port represented by port 777 (FIG. 3) on 

period of time in which no connection associated with a user FWl (Firewall 330). HI. corp is the domain name for host 
is established. 65 312 and FWl is the domain name for firewall 330. A domain 

For example, a first process associated with user 360 name is a string representing a particular network address, 

transmits a first request to connect to a firewall 330 over a such as an IP address, A domain name includes one or more 
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sub-names (e.g. "HI", "corp"), delimited by a punctuation At step 610, a user process transmits a request for a socket 

character, such as a period ("."). Aconnection through tunnel to socket factory 368, for example, by invoking a method of 

341 may be created for user process 362 associated with user the socket factory. The request includes data specifying the 

360 to port 143 on an internal host 312 (hl.corp) by creating internal host and port to which to establish a connection, 
a connection, from a port on the external host, to the tunnel 5 herein referred to as the requested host and port. The request 

entry port represented by port 777 on firewall 330. This also includes data identifying the user session associated 

connection represents a connection through user- with the user process. 

authentication channel 340 (FIG. 3) With respect to tunnel Iq this example, user process 362 transmits a request for 

341, channel 340 is referred to as a user-authenticated a socket to socket factory 368 by invoking a method of 
channel. lO socket factory 368. The request includes the data specifying 

At step 450, the tunnel configuration data is transmitted to that the requested host and port is hl.corp (host 312), port 

user process 362 using login channel 342. User process 362 143. Data identifying the session for user 360 is also 

then configures socket factory 368 by invoking one or more available as part of the request. 

of its methods (e.g., constructor method). In this example. At step 614, a determination is made as to whether a 
the tunnel configuration data is transmitted to user process 15 ^^jnel for connecting to the requested host and port is 

362. The tunnel configuration data includes the current defined for the user. If a tunnel for connecting to the 

session id of user 360 and tunnel configuration table 510. requested host and port is not defined, then control flows to 

User process 362 then invokes a method of socket factory step 618. At step 618, a tunnel is created according to a 

368, passing in the tunnel configuration data needed for default configuration, such as a socket configuration for 

configuration. connecting to the requested host and port for a host on some 

Step 460 is optional. At step 460, inside configuration data network not protected by the firewall according to standard 

is generated for the user and stored as part of the session TCP/IP protocols. If, on the other hand, a tunnel for con- 

assodated with the user. Inside configuration data is used to necting to the requested host and port is defined, control 

define the configuration for each tunnel defined for a par- flows to step 620. 

ticular user. Inside configuration data may be generated by The determination as to whether a tunnel for connecting 

retrieving from firewall configuration data 332 the inside to the requested host and port is made by examining the 

configuration data associated with a particular user. tunnel configuration data associated with the user, and 

In one embodiment of present invention, the configuration determining whether the tunnel configuration data specifies 

of the inside channel is determined on demand. Specifically, a tunnel for the requested host and port. In this example, the 

when a user process attempts to access an internal server determination of whether the tunnel configuration data 

through firewaU 330 by connecting to a tunnel entry port, the specifies a tunnel for the requested host and port is made by 

firewaU examines firewall configuration data 332 to deter- searching for an entry in the tunnel configuration table 5i0 

mine the configuration of the appropriate inside channel. (FIG. 5 A) that has a host field and internal port field that 

Determining the configuration on demand may be more matches the requested host and port. If a match is found, 

efficient because computer resources are not expended deter- then the tunnel configuration data specifies a tunnel for the 

mining and storing configurations of inside channels that requested host and port. 

may never be used. Referring to FIG. 5 A, the values of internal host and 

Referring to FIG. 5B, inside channel table 550 is an internal port of entry 512 explicidy match the hl.corp, port 
example of predetermined inside configuration data stored 40 143 (the requested internal host and port). Entry 518 

as part of the session data of a session associated with a user. matches as well. The wild card character " in " * .corp", the 

Each entry in inside channel table 550 corresponds to a value of the internal host field of entry 518, specifies that the 

tunnel defined for user 360, and maps the tunnel entry port value matches any sequence of subnames followed by 

of the respective tunnel to the inside channel for the tunnel. ".corp". The use of wild card characters and techniques for 
Each entry has three fields, a firewall field 562, firewall port 45 determining values that match a value containing one or 

field 564, and inside channel field 566. For a particular entry, more wild card characters are well known to those skilled in 

the tunnel entry port specified by the values of the firewall the art. Because at least one match was found, control flows 

field 562 and firewall port field 564 is considered mapped to to step 620. 

the inside channel field 566. For example, entry 560 maps At step 620, the configuration of the tunnel socket is 
the tunnel entry port represented by port 777 (FIG. 3) on 50 determined. Determining the configuration of the tunnel 

firewall 330 to inside channel 343. In this example, inside socket includes determining the tunnel entry port for the 

channel table 550 is stored as part of the current session tunnel to the requested host and port, 

associated with user 360. In one embodiment of the invention, the tunnel entry port 

. is the tunnel entry port mapped to the requested internal host 

Oeneratmg a lunnel docket ^^^^ ^j^j^ matches the requested internal 

In order to connect with an internal service from an host and port in the user's tunnel configuration table. The 

external host, a tuimel socket is created on the external host. closest matching entry is the entry having the value for the 

To create a timnel socket, a user process transmits to a socket internal port field that equals the requested port, and a value 

factory data specifying the internal host (e.g. host and port) for internal host field that most expressly matches the 
with which to establish a connection. In response, the socket 60 domain name of the requested host. In this example, internal 

factory creates and configures a tunnel socket to connect to port values of both entries 512 and 518 in tuimel configu- 

the internal host through the tunnel via the tunnel entry port ration table 510 both match the internal port. However, the 

for the tunnel. The timnel socket is configured based on the domain name of the requested host ("hl.corp") more 

tunnel configuration data known to both the client and the expressly matches the internal host value of entry 512 
firewall. FIG. 6 shows the steps for generating a tunnel 65 ("hl.corp") than the internal host value of entry 518 

socket. FIG. 6 shall be explained with reference to the ("*.corp"). Thus, FWl and port 777 represent the firewall 

example provided for FIG. 4. and port of the required user-authenticated channel. 
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In addition to configuring the tunnel socket for the tunnel 
entry port, the configuration of other aspects of sockets may 
be determined. For example, as mentioned earher tunnel 
configuration data may specify a particular encryption pro- 
tocol to be used for a particular tunnel. The configuration of 5 
the tunnel socket's encryption protocol may be determined 
based on tunnel configuration data. 

At step 630, the tunnel socket is generated according to 
the configuration determined in step 620. Generating a 
socket includes allocating memory to data structures and lo 
objects defined by the class to which the socket belongs, and 
initializing those data structures and objects, which may be 
initialized according to the configuration determined in step 
620. 

When generating a socket, a constructor method associ- 
ated with the socket class may be invoked. Values for 
parameters passed to the constructor method may be based 
on the configuration determined in step 620. The constructor 
method, in turn, may base the configuration of the socket on 
the values passed in as parameters. In this example, a 
constructor method is invoked to create a tunnel socket 367 
(FIG. 3), passing in the values for the tunnel entry port 
corresponding to the required user-authentication channel 
i.e. "FWl" and 777. 

25 

Creating a Connection Through a Tunnel 

Once a user-authenticated channel is established by a 
socket factory as an interface to a tunnel, it may be used to 
establish a connection to the internal host and port for which 
the tunnel socket is configured. The tunnel consists of two 
connections: a first one established by the client to the 
firewall, and a second one established by the firewall to the 
inside host. Those connections actualize channels which are 
identified in tunnel configuration data shared between client 
and firewall systems. 

Typically, that first connection is established by invoking 
a connection method of the tunnel socket. In response to host 
350 invoking the connection method, a request is 
transmitted, via the creation of a user authenticated channel 
for which the socket is configured, for the establishment of 
a connection with the firewall. When the firewall receives 
the request, the firewall determines whether a connection 
341 to the tunnel entry port 528 should be estabhshed. If a 
tunnel should be estat^lished, the firewall establishes a 
second connection to the internal host. The second connec- 
tion is the inside channel. 

FIG. 7 shows steps performed for connecting to an, 
internal host through a tunnel. The steps are explained with 
reference to the example described above in which user 360 50 
is attempting to connect to host 312. 

At step 710, a request for a connection to a tunnel entry 
port ("requested tunnel entry port") is transmitted to the 
firewall. The request is transmitted in response to, for 
example, a tiser process invoking a "connect" method of a 55 
tunnel socket configured for the tunnel. The request includes 
data indicating the session id of the session associated with 
the respective user. The request is herein referred to as the 
connection request. In this example, the connect method of 
tunnel socket 367 is invoked. 60 

At step 720, a determination is made as to whether a 
tunnel has been defined that is associated with the requested 
tunnel entry port, based on the session associated with the 
user. The firewall makes this determination by examining 
the tunnel configuration data stored as part of the session 65 
data associated with the user. If the tunnel data indicates that 
a tunnel has been defined for the user, then control flows to 
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step 750. Otherwise, control flows to step 730, where 
alternate firewall connection request management measures 
are followed, such as measures for failing the connection 
request. 

In this example, firewall 330 examines tunnel configura- 
tion table 510 (FIG. 5A), the tunnel configuration data stored 
as part of the session data associated with the user. If tunnel 
configuration table 510 contains an entry that corresponds to 
the requested tunnel entry port, then a tunnel has been 
defined for the tunnel entry port. 

Inside the firewall, associated with the tunnel configura- 
tion data is an inside channel table 550 (FIG. 5B) which may 
contain entries identifying the inside connections associated 
with the defined inside channels. For example, correspond- 
ing to entry 512 is entry 560, recording that a connection 343 
has already been created to support that particular tunnel. In 
this case the tunnel has not only been defined, but it has also 
been fiilly established. 

As mentioned before, in alternate embodiments of the 
present invention, the inside configuration may be deter- 
mined on demand. The on demand determination is made by 
techniques shortly to be described. 

At step 750, a connection through the tunnel is estab- 
lished. Several exemplary methods for establishing a con- 
nection are shown in FIG. 8 and FIG. 9, and shall be 
described in further detail. 

Firewall-Mapped Inside Channels 

FIG. 8 shows steps for establishing a tunnel according to 
the method referred to herein as the "firewall-mapped" 
approach. To establish a connection through a tunnel under 
the "Firewall-mapped" approach, first a determination is 
made as to the inside channel through which to establish a 
connection between the firewall and the requested internal 
host and port. Under the "firewall-mapped" approach, this 
determination is based on an inside port-to-tunnel-entry-port 
mapping that resides within firewall 330 for the user of the 
current session (e.g. inside configuration data stored in 
firewall configuration data 332). 

Next, a connection is established from firewall 330 to the 
requested internal host and port through the just determined 
tunnel inside channel, and recorded in inside channel con- 
figuration table. Once the connection is established, firewall 
330 receives data from the respective user process via the 
user-authenticated channel for the tunnel and transmits the 
data to the respective internal host via the inside channel. 
The respective internal host transmits data to firewall 330 
via the inside channel. Firewall 330, in turn, transmits the 
data to the respective user process on which the user resides 
via the user-authenticated channel. 

At step 810, a tunnel object is created. A tunnel object is 
an instantiation of a class referred to as a tunnel class. The 
definition and implementation (i.e. code) of a tunnel class is 
stored in the firewall system libraries 333. In this example, 
tunnel object 334 is created as an instantiation of a tunnel 
class. 

Steps 820 through 850 are performed diu^ing the execution 
of the constructor method invoked in step 810. The steps 
may be executed by code that is part of the implementation 
of the constructor method, or by code in methods, fiinctions, 
or other procedures invoked directly or indirectly by the 
constructor method. 

At step 820, a determination is made as to the inside 
channel that corresponds to the requested tunnel by exam- 
ining the inside configuration data. As mentioned before, the 



09/13/2004, EAST Version: 1.4.1 



us 6,754, 

17 

inside configuration data is part of the sei^ion data. In this 
example, the inside channel table 550 is examined. Entry 
560 indicates that the required tunnel entry port is mapped 
to inside channel 343. 

At step 830, a connection to the requested internal host 5 
and port is established via the inside channel, using any 
number of techniques well known to those skilled in the art. 
In this example, a tunnel socket is created for connecting 
through inside channel 343. During execution of the con- 
structor method, the connection through inside channel 343, lo 
is established. 

At step 840, a user-to-host tunneling thread is spawned. A 
user-to-host tunneling thread receives data from a user 
process via the user-authenticated channel and transmits the 
data to the internal host via the inside channel. In this 
example, a user- host tunneling thread is spawned. 

At step 850, a host-to-user tunneling thread is spawned. A 
host-to-user tunneling thread receives data from the internal 
host via the inside channel and transmits the data to the 
internal host via the user-authenticated channel. In this 
example, a host-user tunneling thread is spawned. 

Rather than spawning two threads to transfer data 
between the internal and external hosts through the firewall 
(i.e. as in steps 840 and 850), an asynchronous I/O scheme 
may be used. The asynchronous scheme requires far fewer 
threads to pass the data between hosts. Examples of asyn- 
chronous scheme mechanisms include "poll" and "select" 
system calls available on UNIX, and "WaitMultipleEvents" 
on the Microsoft Win32 platform. 

Class-Based Tunnel Objects 

FIG. 9 shows the steps for establishing a tunnel according 
to the method referred to herein as the "Class-based" 
approach. Under the class-based approach, the manner in 35 
which a tunnel is established depends on the tunnel class 
selected to instiantiate a tunnel object. FIG, 10 depicts 
classes from which tunnel objects may be created as 
instances. These classes shall be described in fuirther detail. 
Under the "Class-based" approach, a coimection through a 40 
tunnel may be established according to a variety of 
approaches. These different approaches may be necessitated 
by the needs of different kinds of application protocols. The 
firewall may be configured to permit secure tunneling to 
specific applications. Without this flexibility, only simple 45 
applications can be supported. 

At step 910, a determination is made as to the timnel class 
of the tunnel object to create in order to establish the tunnel. 
The determination may be made using a variety of tech- 
niques. For example, the inside configuration data may 50 
contain an algorithmic mapping of tunnel entry ports to 
tunnel classes rather than a static mapping. The determina- 
tion of the tunnel class is made by finding the class that is 
mapped to the requested tunnel entry port. 

It should be noted that some services are, by convention, 55 
consistently assigned to the same port. An example of such 
a service is a web server which is by convention assigned to 
port 90, or an FTP server which is by convention assigned 
to 21. Ports to which other services are assigned may vary. 
For example, RPC calendar service 317 may be assigned to 60 
a port by an RPC binder 311. An RPC binder maps an RPC 
service name to a specific port on a specific machine. In 
particular, an RPC binder may map RPC service 100068 (i.e. 
RPC calendar service 317) to port number 2097 at one 
moment, and later to port 3722. This precludes the use of 65 
static mappings in tunnel configuration data for this class of 
applications. 
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For illustrative purposes, assume that the tunnel configu- 
ration data associated with a given firewall entry port 
identifies it as providing access to the RPC calendar service 
on some host, or for some user. Based on this data, it is 
determined that the class of the tunnel object is 
RPCal'Hinnel, a tunnel class provided in firewall system 
libraries 333 for the RPC Calendar service 317. That appli- 
cation requires specialized procedures to use the inside 
channel, accessible through class RPCalTunnel. 
Fiulhermore, while that class just could establish a tunnel 
connection and just pass data, it might also act as an 
application level proxy. 

Finally, a default tunnel class may be used to create the 
tunnel class when, for example, no class is mapped to the 
requested tunnel port, or no particular class is provided in 
the firewall system libraries for the sought service, or no data 
indicating a sought service is received. 

After determining the tunnel class in step 910, at step 920, 
a tunnel object is created by invoking the constructor of the 
tunnel class. For example, a tunnel object may be created as 
an instantiation of RPCalTunnel 1020 (FIG. 10). 

Steps 930 through 950 are performed during the execution 
of the constructor method invoked as part of creating the 
object created in step 920. The steps may be executed by 
code that is part of the implementation of the constructor 
method, or by code in methods or fimctions invoked directly 
or indirectly by the constructor method. 

At step 930, the inside channel configuration is deter- 
mined. Determining the inside channel configuration 
involves determining the inside port and other aspects of the 
inside channel. Such additional aspects include the user 
identity with which the channel must be authenticated, the 
level of privacy required, the priority for such traffic, and the 
quality of service needed. The inside port can be determined 
using a variety of approaches. One approach for determining 
the inside port is the firewall-mapped inside channel 
approach (specifically, step 820 in FIG. 8), previously 
described. 

Another approach is the service mapped approach, which 
supports one kind of algorithmic mapping for tunnel con- 
figuration data to inside channels. In the service mapped 
approach, the inside port is supplied by an internal service 
(i.e. a service provided on an internal host.). For example, a 
tunnel object naay transmit to RPC binder 311 a request for 
data indicating the port and host to which the RPC Calendar 
service 317 is assigned. In response, RPC binder 311 returns 
the port and host assigned to the RPC Calendar service. 

The particular approach used for determining the inside 
port may depend on the particular class to which the tunnel 
object belongs. In addition, the configuration of other 
aspects of the tunnel objects depends on the particular class. 

At step 940, a user-to-host tunneling thread is spawned. At 
step 950, a host-to-user tunneling thread is spawned. 

Tailoring Configurations of Sockets and TVnnel 
Objects Through Inheritance 

Tunnel objects and tunnel socket objects may be specially 
configured to establish a connection in a way that takes 
advantage of the power and simplicity of the inheritance 
feature of object oriented software. Inheritance allows a 
hierarchy to be established between classes. The attributes 
and methods of a class automatically become attributes and 
methods of the classes that are based upon the given class in 
the hierarchy. A class which inherits its attributes and 
methods from another class is said to be a subclass of the 
other class. The one or more classes from which the subclass 
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inherited its attributes and methods are said to be a super particular situation. For example, IMAP subclass 1030, 

classes relative to the subclass. For example, consider a class shown in FIG. 10, provides an authenticate method 1033, 

hierarchy in which class TERRIER inherits its attributes and which is invoked by the override implementation 1037 of 

methods from class DOG, which in turn inherits its class and tunnel constructor method 1011. ^Vhe authenticate 
methods from class ANIMAL. Qass TERRIER is a subclass 5 method 1037 interfaces with the authentication mechanism 

of class DOG and class ANIMAL. Qass DOG is a subclass of I^AP service 315 to authenticate the user to the IMAP 

of class ANIMAL. Class DOG is a super class to class service {i.e. relative to the IMAP service). The authenticate 

TERRIER, and class ANIMAL is super class to class DOG method 1037 may provide data to the authentication mecha- 

and class TERRIER IMAP service based on the session data asso- 
ciated with the user. Note that internal services may require 

Note the term routine, as used herein, is synonymous to provide their own authentication mechanisms even 

method, when used relative to a class. For example, a though a user has been authenticated relative to the firewall, 

method defined by a class may also be referred to as a ^ ^ , ^ . r . • 

routine defined by a class. A method may be defined for a dockets Configured Through Inhentance 

class even though the class does not define an implementa- As mentioned before, tunnel sockets configured for a 
tion (i.e. code) for the method. For example, the class 15 particular situation can be configured using the power and 

ANIMAL may define the method SOUND without provid- simplicity of inheritance. For example, a superclass of 

ing any implementation. The class DOG, which inherits the sockets may be estabUshed for creating sockets using stan- 

method SOUND, may define an implementation for dard direct TCP oonnecUons. A subclass of the superclass 

SOUND which generates a generic bark. The class P^^^^^^f f °^c^iI^^"J^P}|™^"^"^^^^^^ ^'^f ' 
TERRIER, which inherits method SOUND, may define an 20 Protocols (e.g. SSL, SOCp) over TCP, or configures TCP 

, : r oi-iiTKTTA *i_ * * * • » u 1 to use specific low level network secunty lealures (e.g. 

mplementatjon for SOU^ro that generates a tem^^ ,pgg^ 3 Management for the Internet 

Such an implementation is said to be an overnde implemen- p^,^^, ^^^^^ Sun Microsystems). 

tation. An ovemde unplementation is code executed for the . r i * j • • u* 

. , r .vj-i-.j/: 1-1 c A group of related services might use common service 

subclass for a method mhented from a superclass m place of ^^ ^^ infrastructure. For example, all the different sorts 

any code, if any, defined for the method by the superclass. 25 of^jjaiis^j^ices for a given user might be offered at the same 

FIG. 10 shows an exemplary hierarchy of classes that may host but at different ports. A base class would map from the 

be implemented for use in accordance with the class-based user to the mail host. 

approach. FWTunnel 1010 is a superclass of subclasses socket factory may select the particular class from 
RPCalTunnel 1020 and IMAPTunnel 1030. FWTunnel 1010 ^hich to create a socket based on tunnel configuration data, 
is a class that provides a default mechanism for establishing example, the tunnel configuration table may contain 
connections through tunnels. RPCalTunnel 1020 is class for another field caUed encryption protocol, which stores a 
estabUshing connections through tunnels to RFC calender ^^^^ indicating the encryption protocol to use for a par- 
services, while the IMAPTunnel is a class for establishing ^^i^j tunnel. At step 620, it may be determined that a 
connections through tunnels to IMAP services. particular encryption protocol is to used to configure the 
When an object is instantiated from FWTunnel 1010, a socket. At step 630, a socket may be created and configured 
connection to a tunnel is established in accordance with the to use the particular protocol by creating the object as an 
class-based tunnel objects approach shown in FIG. 9. The instantiation of the class or subclass that corresponds to the 
GetlntPort 1014 method is a method invoked by tunnel particular encryption protocol. 

constructor method 1011 in order to determine the inside Iq the foregoing specification, the invention has been 

port (e.g. step 930). This implementation uses the "firewall described with reference to specific embodiments thereof. It 

mapped" approach to determine the inside port. Perfor- will, however, be evident that various modifications and 

mance of the other steps described for FIG. 9 (e.g. 940, 950) changes may be made thereto without departing from the 

are performed by code in the tunnel constructor method, or broader spirit and scope of the invention. The specification 

other methods or functions, invoked, directly or indirectly, and drawings are. accordingly, to be regarded in an illus- 

by tunnel constructor method 1011. An implementation is trative rather than a restrictive sense, 

executed when the tunnel constructor method lOU is what is claimed is: 

invoked. Implementation 1016 is code which determines the a method of communicating between a process on an 

inside port, external host and an internal host behind a firewall, the 

RPCTunnel is a subclass of FWTunnel 1010 from which 50 method comprising: 

tunnel objects to an RFC Calender service are instantiated. authenticating a user relative to the firewall that is asso- 

When an tunnel object is created as an instance of the dated with the process; and if the user is authenticated 

RPCTunnel class, many of the steps shown in FIG. 9, such relative to the firewall, then: 

as establishing the user-host thread and the host-user thread, generating a first set of configuratiori data indicating a 

are performed in the same manner as for any other objects 55 configuration of a tunnel for connecting the process 

created as an instance of FWTunnel. However, the inside to the internal host and the manner in which the 

port is determined in different manner. Specifically, the tunnel is created, 

inside port is determined according to the service mapped generating a socket based on the first set of configura- 

app roach. Override implementation 1026 is code which tion data, the socket being configured to connect the 

determines the inside port in accordance with the service process to the internal host through the timnel, 

mapped approach. establishing a session associated with the user, wherein 

. ^ , , ^ . tbe tunnel is associated with the session, and 

Classes for Providing Additional FuncUonahty transmitting the first set of configuration data to the 

In addition to providing subclasses that configures inside external host, . 
channels in a particular manner, a particular subclass can be 65 wherein generating said socket includes instantiating said 

provided with overriding implementations or additional socket as an object belonging to a socket subclass, 

methods that provide additional functionality needed for a wherein: 
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said socket subclass belongs to a socket super class that 
includes a first routine, and 

said socket subclass defines an implementation for said 
first routine, said implementation configxuing sock- 
ets. 5 

2. The method of claim 1, further including: 
requesting a socket for connecting said process to said 

internal host prior to generating said socket. 

3. The method of claim 1, wherein generating said socket 
further includes configuring said socket to connect said 
process to said firewall via a first channel using said session. 

4. The method of claim 1, further including: 
requesting a connection through said socket, and 

in response to requesting a connection through said 
socket, establishing said connection through said tun- ^ 
net. 

5. A method of communicating between a process resid- 
ing on an external host and an internal host behind a firewall, 
the method comprising the steps of: 

authenticating a user relative to the firewall that is asso- 
ciated with the process; 

establishing a session associated with the user; 

causing a first set of configuration data to be transcnitted 
to the external host, said first set of configuration data 25 
indicating a configuration of a tunnel for connecting the 
process to the internal host; 

receiving, by a socket factory, a request from the process 
for a socket to connect said process to the internal host; 

generating, by the socket factory, said socket based on the 30 
first set of configuration data, said socket being con- 
figured to connect the process to the internal host 
through the tunnel; and 

receiving, by the firewall, a request from the external host 
for a connection through said socket, and in response to ^5 
receiving said request for a connection, establishing, 
via the firewall, said connection through the tunnel via 
a first channel using the session. 

6. A method of communicating between a process resid- 
ing on an external host and an internal host behind a firewall, ^ 
the method comprising the steps of: 

authenticating a user relative to the firewall that is asso- 
ciated with the process; 

establishing a session associated with the user; 

causing a first set of configuration data to be transmitted 
to the external host, said first set of configuration data 
indicating a configuration of a mnnel for connecting the 
process to the internal host; 

receiving, by a socket factory, a request from the process 
for a socket to connect said process to the internal host; 

generating, by the socket factory, said socket based on the 
first set of configuration data, said socket being con- 
figured to connect the process to the internal host 
through the mnnel; and 35 

receiving, by the firewall, a request from the external host 
for a connection through said socket, and establishing, 
via the firewall, said connection through the tunnel, 

wherein establishing said connection through said tunnel 
includes determining the configuration of said tunnel 60 
based on data received from a service residing a third 
host accessible to said firewall. 

7. A method of communicating between a process resid- 
ing on an external host and an internal host behind a firewall, 
the method comprising the steps of: 65 

authenticating a user relative to the firewall that is asso- 
ciated with the process; 
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establishing a session associated with the user; 

causing a first set of configuration data to be transmitted 
to the external host, said first set of configuration data 
indicating a configuration of a tunnel for connecting the 
process to the internal host; 

receiving, by a socket factory, a request from the process 
for a socket to connect said process to the internal host; 

generating, by the socket factory, said socket based on the 
first set of configuration data, said socket being con- 
figured to connect the process to the internal host 
through the tunnel; and 

receiving, by the firewall, a request from the external host 
for a connection through said socket and establishing, 
via the firewall, said connection through the tunnel, 
wherein establishing said connection through said tun- 
nel includes instantiating a tunnel object residing 
within said firewall associated with said connection. 

8. The method of claim 3, wherein: 

said first channel includes a first port on said firewall; and 
the step of configuring said socket includes configuring 

said socket based on a mapping that maps said first port 

to a second port on said internal host. 

9. The method of claim 7, wherein instantiating a tunnel 
object includes instantiating a tunnel object belonging to a 
tunnel subclass, wherein: 

said tunnel subclass belongs to a tunnel super class, 
wherein said tunnel super class defines a first routine, and 
wherein said tunnel sub class includes an implementation 
configuring tunnels. 

10. A method of communicating between a process asso- 
ciated with a user on an external host and an intemal host 
that is behind a firewall, the method comprising: 

receiving tunnel configuration data, said tunnel configu- 
ration data indicating the configuration of a tunnel for 
connecting said process to said intemal host using a 
session established for said user on said firewall; and 

generating a socket for connecting said process to said 
intemal host based on said tunnel configuration data, 

wherein generating a socket includes instantiating a 
socket as an object belonging to a socket sub class, 
wherein: 

said socket subclass belongs to a socket super class that 

includes a first routine, and 
said socket subclass defines an implementation for said 

first routine, said implementation configuring said 

sockets. 

11. The method of claim 10, wherein: 

the method frirther includes requesting a socket to said 
intemal host; and 

wherein the step of generating a first socket for connect- 
ing said process to said intemal host includes generat- 
ing a socket configured to connect said process to said 
internal host via said tunnel. 

12. The method of claim 10, wherein generating a socket 
configured to connect said process to said intemal host via 
said tunnel includes generating a socket configured to con- 
nect said process to a tunnel entry port associated with said 
firewall. 

13. A computer readable medium carrying one or more 
sequences of one or more instmctions for communicating 
between a process on an external host and an internal host 
behind a firewall, wherein the execution of the one or more 
sequences of the one or more instmctions by one or more 
processors causes the one or more processors to perform: 
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autheaticating a user that is associated with said process 

relative to said firewall; and 
if said user is authenticated relative to said firewall, then: 

generating a first set of configuration data indicating a 
configuration of a tunnel for connecting said process 5 
£0 said internal host and the manner in which the 
tunnel is created, 

generating a socket based on the first set of configura- 
tion data, the socket being configured to connect the 
process to the internal host through the tunnel, 

establishing a session associated with said user, 
wherein said tunnel is associated with the session, 
and 

transmitting the first set of configuration data to said 
external host, 

wherein generating said socket includes instantiating said 
socket as an object belonging to a socket subclass, 
wherein: 

said socket subclass belongs to a socket super class that 
includes a first routine, and 

said socket subclass defines an implementation for said 
first routine, said implementation configuring sock- 
ets. 

14. A computer system, comprising: 
a firewall comprising a processor; and . 
a memory, including instructions, coupled to said 
processor. 



,831 B2 

24 

said processor executing the instructions to authenticate a 
user that is associated with a process relative to said 
firewall and, if said user is authenticated relative to said 
firewall; 

generate a first set of configuration data using user profile 
data and information associated with the external host, 
said first set of configuration data indicating a configu- 
ration of a tunnel for connecting said process to an 
internal host behind said firewall and the manner in 
which the tunnel is created, 
generate a socket based on the first set of configuration 
data, the socket being configured to connect the process 
to the internal host through the tunnel, 
establish a session associated with said user, wherein said 

tunnel is associated with the session, and 
cause the first set of configuration data to be transmitted 

to said external host, 
wherein the socket is instantiated as an object belonging 
to a socket subclass, wherein: 

said socket subclass belongs to a socket super class that 

includes a first routine, and 
said socket subclass defines an implementation for said 
first routine, said implementation configuring sock- 
ets. 

* * * * * 
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